90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-039
Professional services · Hong Kong · 2024 · AI as weapon

A finance worker at Arup paid out about US$25 million after a video call with colleagues who were all deepfakes

By Ellie Harris · Filed January 2024 (disclosed May 2024)

Alleged: Arup developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

A finance worker at Arup paid out about US$25 million after a video call with colleagues who were all deepfakes

What happened

A finance employee in Arup’s Hong Kong office received a message, said to be from the firm’s UK-based chief financial officer, about a confidential transaction. The employee was suspicious at first, because the request had the shape of a phishing email. The doubt was overcome by what came next: a video call. On the call were the chief financial officer and several other colleagues the employee recognised. Reassured, the employee carried out the instructions, making fifteen transfers totalling about HK$200 million, roughly US$25 million, to five Hong Kong bank accounts.

Everyone else on the call had been faked. The “colleagues” were AI-generated deepfakes, built from publicly available video and audio of real Arup staff, convincing enough to pass as the executives they imitated during the meeting. The fraud came to light only when the employee later checked with the corporation’s head office.

Hong Kong police described the case in February 2024, and Arup, a global engineering and design firm, confirmed in May 2024 that it had been the target. No arrests have been announced specifically for the Arup fraud, no perpetrators have been publicly identified, and the money has not been recovered. The detail that unsettled people was how ordinary the defence had been and how easily it failed: the employee did the sensible thing and asked to see the people giving the instruction, and seeing them was exactly the trick.

What an auditable version would have shown

A high-value transfer should be answerable to a simple question after the fact: what authorised it, and was that authority verified. Here the authorisation was a face on a screen, and nothing recorded whether that face had been confirmed through any channel independent of the call itself. An auditable version records, for each high-value payment, the instruction, the approval, and the out-of-band check that confirmed the instruction was genuine, captured at the time. With that record the missing step is visible in advance: there was no confirmation independent of the very call that was the attack.

Where the gap was

The gap is older than deepfakes, and deepfakes made it lethal. The control on a large transfer was visual recognition of the people asking for it, and visual recognition is now forgeable in real time. Seeing and hearing a known executive is no longer evidence the instruction is real. The control that holds is an AuthorityGate: a high-consequence action proceeds only when the source of the instruction is verified through a trusted, independent channel, not on the strength of how convincing the request looks or sounds. A ConductRecord preserves what authorised each action, so an organisation can show that the verification happened rather than assume it did. The same logic governs an AI agent acting on an instruction and a person acting on one: the question is whether the source was actually authorised, and whether that can be proven.

What governance should have looked like

The lesson is not that the employee was careless. The employee sought reassurance and was given a manufactured version of exactly the reassurance a careful person would seek. The lesson is that identity confirmed by sight and sound can no longer gate money, and that the verification of a high-value instruction has to move to a channel the attacker does not control: a callback to a known number, a second approver, a check that does not live inside the conversation being used to deceive. Those steps are ordinary in a mature controls environment. What deepfakes change is that they are no longer optional, and that the record of whether they happened is what separates a controlled payment from a hope.

The reference implementation of AuthorityGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Arup could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →